[x]
Posted via EE Mobile

Search, ask, and monitor your questions on the go with EE Mobile. Visit Experts Exchange from your mobile device and never be out of touch again.
Question
[x]
Attachment Details
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
8.6

Next Hop is through a Cisco Lan-Lan VPN tunnel - how to add to Cisco 1700 series ip route table

Asked by RolyT in Miscellaneous Networking, Networking Hardware Firewalls, Dynamic Host Configuration Protocol (DHCP)

Tags: cisco, tunnel, vpn, lan, route

I have three Cisco 1700 series VPN routers at three different different locations.

Location1                                 Location2                               Location3    
Cisco 1712  <---VPN Tunnel---> Cisco 1712 <--VPN Tunnel--->Cisco 1710
10.27.2.x/24                             10.24.1.x/24                        10.24.99.x/24

Traffic from location 1 on the 10.27.2.x/24 subnet can communicate with Location2 on 10.24.1.x/24 both ways no problem.
Traffic from Location 2 on the 10.24.1.x/24 subnet can communicate with Location3 on 10.24.99.x/24 both ways no problem.

My problem is specifying in the ip route table on the routers in Location1 and 3 the next hop to enable traffic from location1 destined for location3 to pass

through location2.

For example I would have expected to be able to issue on the location3 router ip route 10.27.2.0 255.255.255.0 10.24.1.25 - but this is not added to the

route table.

The route table on location3's router is:-
Gateway of last resort is 84.92.xx.xx to network 0.0.0.0

     84.0.0.0/29 is subnetted, 1 subnets
C       84.92.xx.xx is directly connected, Ethernet0
     10.0.0.0/24 is subnetted, 1 subnets
C       10.24.99.0 is directly connected, FastEthernet0
S*   0.0.0.0/0 [1/0] via 84.92.xx.xx

I can't seem to find any way to use the VPN tunnel. The interesting thing is Ping's and Traceroutes from the routers themselves don't seem to recognise the

VPN tunnels even exist (they always go out on the default gateway) even though clients on each subnet can communicate quite happily with the network

immediately connected through each tunnel no problem.

In the current config I know I could simply create a tunnel directly between locations1 and 3 - but this is not really solving the issue as in a more complex

scenario where there are further routers at each location behind the VPN routers I will still need to specify a next hop which is through a tunnel - Which is

actually the problem I'm trying to solve.

I've included the config from location3 which is actually the router I've got setup at home to test with.

So any ideas on how to force into the routing table a next hop which is actually a router connected through the VPN tunnel?
When debug is switched on I've noticed the router attempt to add the route and then mention words to the effect it is erasing it.
If further info is required then let me know.

I've been pulling my hair out and trawling the web for ages trying to solve this little mystery to no avail!

Cheers

Roly.



!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname treenet1710
!
enable password 7 xxxxxxxxxxxx
!
memory-size iomem 25
ip subnet-zero
!
!
no ip domain-lookup
!
ip audit notify log
ip audit po max-events 100
ip ssh time-out 120
ip ssh authentication-retries 3
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key xxxxxxxxx address 80.229.xx.xx
!
!
crypto ipsec transform-set cm-transformset-1 ah-md5-hmac esp-3des
!
crypto map cm-cryptomap local-address Ethernet0
crypto map cm-cryptomap 1 ipsec-isakmp
 set peer 80.229.xx.xx
 set transform-set cm-transformset-1
 match address 100
!
!
!
!
interface Ethernet0
 description connected to Internet
 ip address 84.92.xx.xx 255.255.255.248
 ip nat outside
 no ip route-cache
 no ip mroute-cache
 half-duplex
 crypto map cm-cryptomap
!
interface FastEthernet0
 description connected to EthernetLAN
 ip address 10.24.99.9 255.255.255.0
 ip nat inside
 speed auto
!
router rip
 version 2
 passive-interface Ethernet0
 network 10.0.0.0
 no auto-summary
!
ip nat inside source route-map nonat interface Ethernet0 overload
ip nat inside source static tcp 10.24.99.11 80 84.92.xx.xx 80 extendable
ip nat inside source static tcp 10.24.99.11 1600 84.92.xx.xx 1600 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 84.92.xx.xx
ip route 10.27.2.0 255.255.255.0 10.24.1.25
no ip http server
ip pim bidir-enable
!
!
access-list 100 permit ip 10.24.99.0 0.0.0.255 10.24.1.0 0.0.0.255
access-list 101 deny   ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
access-list 101 permit ip any any
!
route-map nonat permit 10
 match ip address 101
!
snmp-server community public RO
!
line con 0
 exec-timeout 0 0
 password 7 xxxxxxxxx
 login
line aux 0
line vty 0 4
 password 7 xxxxxxxx
 login
!
end
 
Related Solutions
Keywords: Next Hop is through a Cisco Lan-Lan …
Title
1 IPSec VPN
2 2 Cisco 1841 IPSEC VPN tunnel not…
3 IPSEC rules for remote acces (vpn cli…
4 ASA to 1812 IPSEC Tunnel
5 IPSEC VPN Tunnel and Static NAT probl…
6 PIX 8.0.3 site-to-site VPN disco…
 
Loading Advertisement...
 
[+][-]01/06/05 09:20 AM, ID: 12974324Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]01/06/05 09:22 AM, ID: 12974349Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]01/06/05 10:57 AM, ID: 12975354Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]01/06/05 11:39 AM, ID: 12975827Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]01/06/05 12:03 PM, ID: 12976070Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]01/06/05 01:02 PM, ID: 12976670Accepted Solution

View this solution now by starting your 30-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

About this solution

Zones: Miscellaneous Networking, Networking Hardware Firewalls, Dynamic Host Configuration Protocol (DHCP)
Tags: cisco, tunnel, vpn, lan, route
Sign Up Now!
Solution Provided By: lrmoore
Participating Experts: 2
Solution Grade: A
 
[+][-]03/06/05 05:28 PM, ID: 13473052Administrative Comment

Experts Exchange has a courteous staff of administrators who help members get the most out of the website by means of administrative comments like this one.

Start your 30-day free trial to view this Administrative Comment or ask the Experts your question.

 
[+][-]03/06/05 05:31 PM, ID: 13473083Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]03/14/05 04:12 AM, ID: 13533952Administrative Comment

Experts Exchange has a courteous staff of administrators who help members get the most out of the website by means of administrative comments like this one.

Start your 30-day free trial to view this Administrative Comment or ask the Experts your question.

 
[+][-]03/18/05 06:12 PM, ID: 13580081Administrative Comment

Experts Exchange has a courteous staff of administrators who help members get the most out of the website by means of administrative comments like this one.

Start your 30-day free trial to view this Administrative Comment or ask the Experts your question.

 
 
Loading Advertisement...
20091021-EE-VQP-81